From patchwork Mon Jul 31 23:51:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9873421 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8924160224 for ; Mon, 31 Jul 2017 23:56:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 735F4285E5 for ; Mon, 31 Jul 2017 23:56:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 66DEA285DE; Mon, 31 Jul 2017 23:56:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB199285E5 for ; Mon, 31 Jul 2017 23:56:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751667AbdGaXzp (ORCPT ); Mon, 31 Jul 2017 19:55:45 -0400 Received: from mail-pg0-f41.google.com ([74.125.83.41]:33684 "EHLO mail-pg0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751615AbdGaXvr (ORCPT ); Mon, 31 Jul 2017 19:51:47 -0400 Received: by mail-pg0-f41.google.com with SMTP id c14so558581pgn.0 for ; Mon, 31 Jul 2017 16:51:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=/5KNTl2gpCHBCU0GYwRdCqIM/tSn2T8y2+AEKOUDOa4=; b=CSb6pSqy5L7Lwm9l1cDnno1NNwsrViwsVXioIKHgju670PbjTOSqA7e5Ik9HM4Oiuj +z4rwSlMUhc6R4CJfdw+tgHluB1Q6QlqXnnavrHvneJzq4Ju/JN7dJa6kDGeojdwsaNJ aImqCQERHzOFA5r9n/qj5dhHEv0gTIrgDPThA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=/5KNTl2gpCHBCU0GYwRdCqIM/tSn2T8y2+AEKOUDOa4=; b=hGZsBCOrA8HY4a6nzcv6HCWS0a4tJubYoHa1BjHrbmpNGE8yPB5jdEdymdc2G2hX/0 07YxsbbcIHxF4+z14VollUhLxziSYMuvUIx6uRmJ7BS4rYq1gKz5zsYz9xlXZxJzb8CA ST/s9Xhjs4sMIaL59y7fuABkrmYRcD065c5wH6EKOUv53RcsJ2Po1DXmLqV1mGSxamlg t+AN+gqJzGNe5rrmBx7ZWRGy+RWULUojMOC6X9ZGSirrk6rp+O+LdTNr4sE30oFv59vE RueH+0GlDbu3fQUqDiyYGOLtzw7moszt1g4jW+Py3rc6v5YYXRTOYHH7qAZAW1J+s7kn DFEQ== X-Gm-Message-State: AIVw111NtFcgBtbyMAZLeVVbu1Me+tK70sDAWTbH+l3QNPR8DbZJVppL 7x7ym4JyIbyQTUcm X-Received: by 10.99.186.7 with SMTP id k7mr17230345pgf.0.1501545107070; Mon, 31 Jul 2017 16:51:47 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id v128sm47816371pgv.49.2017.07.31.16.51.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Jul 2017 16:51:44 -0700 (PDT) From: Kees Cook To: Andrew Morton Cc: Kees Cook , David Howells , John Johansen , Paul Moore , Stephen Smalley , Casey Schaufler , James Morris , "Eric W. Biederman" , "Serge E. Hallyn" , Tetsuo Handa , Andy Lutomirski , Linus Torvalds , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 01/15] exec: Rename bprm->cred_prepared to called_set_creds Date: Mon, 31 Jul 2017 16:51:19 -0700 Message-Id: <1501545093-56634-2-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1501545093-56634-1-git-send-email-keescook@chromium.org> References: <1501545093-56634-1-git-send-email-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The cred_prepared bprm flag has a misleading name. It has nothing to do with the bprm_prepare_cred hook, and actually tracks if bprm_set_creds has been called. Rename this flag and improve its comment. Cc: David Howells Cc: John Johansen Cc: Paul Moore Cc: Stephen Smalley Cc: Casey Schaufler Cc: James Morris Signed-off-by: Kees Cook Acked-by: John Johansen Acked-by: James Morris Acked-by: Paul Moore Acked-by: Serge Hallyn --- fs/binfmt_flat.c | 2 +- fs/exec.c | 2 +- include/linux/binfmts.h | 8 ++++++-- security/apparmor/domain.c | 2 +- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- 7 files changed, 12 insertions(+), 8 deletions(-) diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c index 2edcefc0a294..a722530cc468 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c @@ -885,7 +885,7 @@ static int load_flat_shared_library(int id, struct lib_info *libs) * as we're past the point of no return and are dealing with shared * libraries. */ - bprm.cred_prepared = 1; + bprm.called_set_creds = 1; res = prepare_binprm(&bprm); diff --git a/fs/exec.c b/fs/exec.c index 72934df68471..cedae1620d2f 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1527,7 +1527,7 @@ int prepare_binprm(struct linux_binprm *bprm) retval = security_bprm_set_creds(bprm); if (retval) return retval; - bprm->cred_prepared = 1; + bprm->called_set_creds = 1; memset(bprm->buf, 0, BINPRM_BUF_SIZE); return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE); diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 05488da3aee9..3cd98e8bc9dc 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -25,8 +25,12 @@ struct linux_binprm { struct mm_struct *mm; unsigned long p; /* current top of mem */ unsigned int - cred_prepared:1,/* true if creds already prepared (multiple - * preps happen for interpreters) */ + /* + * True after the bprm_set_creds hook has been called once + * (multiple calls can be made via prepare_binprm() for + * binfmt_script/misc). + */ + called_set_creds:1, cap_effective:1;/* true if has elevated effective capabilities, * false if not; except for init which inherits * its parent's caps anyway */ diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 001e133a3c8c..878407e023e3 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -350,7 +350,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) const char *name = NULL, *info = NULL; int error = 0; - if (bprm->cred_prepared) + if (bprm->called_set_creds) return 0; ctx = cred_ctx(bprm->cred); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e67a526d1f30..5d4051541518 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2328,7 +2328,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) /* SELinux context only depends on initial program or script and not * the script interpreter */ - if (bprm->cred_prepared) + if (bprm->called_set_creds) return 0; old_tsec = current_security(); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 658f5d8c7e76..7d4b2e221124 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -917,7 +917,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) struct superblock_smack *sbsp; int rc; - if (bprm->cred_prepared) + if (bprm->called_set_creds) return 0; isp = inode->i_security; diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 130b4fa4f65f..d25b705360e0 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -76,7 +76,7 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) * Do only if this function is called for the first time of an execve * operation. */ - if (bprm->cred_prepared) + if (bprm->called_set_creds) return 0; #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER /*